cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
466
Views
0
Helpful
1
Replies

ACL doesn't seem to be working

rolandshum
Level 1
Level 1

I have the following ACL on my border gateway.

access-list 120 remark Only applied to g0/0

access-list 120 remark Prevents Pings to router

access-list 120 deny icmp any any echo log

access-list 120 deny icmp any any traceroute log

access-list 120 permit icmp 66.28.3.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 66.250.250.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 130.117.19.0 0.0.0.255 host 38.38.38.150

access-list 120 permit ip any any

The hosts from the 3 networks permitted to ping don't seem to be able to do it. They keep getting destination unreachable. Anyone see what I'm doing wrong here?

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Hi

You need to rearrange the order of your access-list. The 3 networks you are trying to permit are getting blocked by your 2 deny lines above it. Once a line in an access-list has been matched it that is it.

You need to change order to

access-list 120 permit icmp 66.28.3.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 66.250.250.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 130.117.19.0 0.0.0.255 host 38.38.38.150

access-list 120 deny icmp any any echo log

access-list 120 deny icmp any any traceroute log

access-list 120 permit ip any any

HTH

Jon

View solution in original post

1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

Hi

You need to rearrange the order of your access-list. The 3 networks you are trying to permit are getting blocked by your 2 deny lines above it. Once a line in an access-list has been matched it that is it.

You need to change order to

access-list 120 permit icmp 66.28.3.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 66.250.250.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 130.117.19.0 0.0.0.255 host 38.38.38.150

access-list 120 deny icmp any any echo log

access-list 120 deny icmp any any traceroute log

access-list 120 permit ip any any

HTH

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: